A guided tour to approximate string matching
ACM Computing Surveys (CSUR)
Outside the Closed World: On Using Machine Learning for Network Intrusion Detection
SP '10 Proceedings of the 2010 IEEE Symposium on Security and Privacy
Intrusion detection in SCADA networks
AIMS'10 Proceedings of the Mechanisms for autonomous management of networks and services, and 4th international conference on Autonomous infrastructure, management and security
Specification-Based Intrusion Detection for Advanced Metering Infrastructures
PRDC '11 Proceedings of the 2011 IEEE 17th Pacific Rim International Symposium on Dependable Computing
SP 800-82. Guide to Industrial Control Systems (ICS) Security: Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC)
| Hi-index | 0.00 |
Because of a lack of attack signatures and different forms of attacks, signature-based network intrusion detection systems currently provide insufficient protection for industrial control traffic. A combination of two anomaly detection approaches found in the literature, one based on network flows and the other on protocol specific deep-packet inspection, seems to be able to detect many expected threats. Deep-packet inspection cannot be used however, when payloads cannot be read because they are encrypted, or the protocol is unfamiliar. This paper proposes an intrusion detection approach that does not need to inspect the payload, and can still perform much the same function as the deep-packet approach. It consists of three steps: separate insertions caused by commands from the background of polling cycle traffic, recognize and react on known insertions, and alert on unknown insertions. The approach is implemented using searches for series of packets, based on the edit distance from approximate string matching. Tests show that this implementation can perform the steps necessary for the approach.